[Openstack-security] [Bug 1168252] Re: keystone.conf should not be world-readable (to keep LDAP password and admin_token secret)

Matthew Thode 1168252 at bugs.launchpad.net
Fri May 17 15:33:38 UTC 2013 

fix released for folsom and grizzly, grizzly with the devstack patch and
folsom with this patch.

diff -Naur keystone-2012.2.4/keystone/config.py keystone-2012.2.4.new/keystone/config.py
--- keystone-2012.2.4/keystone/config.py	2013-04-11 15:02:19.000000000 -0400
+++ keystone-2012.2.4.new/keystone/config.py	2013-05-17 11:26:57.557918817 -0400
@@ -110,7 +110,7 @@
     group = kw.pop('group', None)
     return conf.register_cli_opt(cfg.IntOpt(*args, **kw), group=group)
 
-register_str('admin_token', default='ADMIN')
+register_str('admin_token', secret=True, default='ADMIN')
 register_str('bind_host', default='0.0.0.0')
 register_str('compute_port', default=8774)
 register_str('admin_port', default=35357)
@@ -162,7 +162,7 @@
 #ldap
 register_str('url', group='ldap', default='ldap://localhost')
 register_str('user', group='ldap', default='dc=Manager,dc=example,dc=com')
-register_str('password', group='ldap', default='freeipa4all')
+register_str('password', group='ldap', secret=True, default='freeipa4all')
 register_str('suffix', group='ldap', default='cn=example,cn=com')
 register_bool('use_dumb_member', group='ldap', default=False)
 register_str('user_name_attribute', group='ldap', default='sn')

** Package changed: keystone (Gentoo Linux) => gentoo

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1168252

Title:
  keystone.conf should not be world-readable (to keep LDAP password and
  admin_token secret)

Status in devstack - openstack dev environments:
  Confirmed
Status in OpenStack Security Notes:
  Fix Released
Status in Gentoo Linux:
  Unknown

Bug description:
  The password configuration of LDAP and admin_token in keystone.conf
  should be secret to protect security information:

  [ldap]
  # url = ldap://localhost
  # user = dc=Manager,dc=example,dc=com
  # password = None                                            <- should be secrect
  # suffix = cn=example,cn=com
  # use_dumb_member = False
  # allow_subtree_delete = False
  # dumb_member = cn=dumb,dc=example,dc=com

  
  [DEFAULT]
  admin_token = passw0rd                                <- should be secrect

To manage notifications about this bug go to:
https://bugs.launchpad.net/devstack/+bug/1168252/+subscriptions

More information about the Openstack-security mailing list